[PATCH 1/3] man: Document pitfall with negative permissions and user namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@xxxxxx>
---
This patch applies to the acl software project.
---
 man/man5/acl.5 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/man/man5/acl.5 b/man/man5/acl.5
index 0db86b325617..2ed144742e37 100644
--- a/man/man5/acl.5
+++ b/man/man5/acl.5
@@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems.
 .Xr acl_from_mode 3 ,
 .Xr acl_get_perm 3 ,
 .Xr acl_to_any_text 3
+.Sh NOTES
+.Ss Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+ACLs, such an approach is widely regarded as a suboptimal practice.
+Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.Xr newuidmap 1 ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+For more details, please refer to the
+.Xr user_namespaces 7
+documentation.
 .Sh AUTHOR
 Andreas Gruenbacher, <andreas.gruenbacher@xxxxxxxxx>
-- 
2.26.2




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux